The cloud-based CRM provider Salesforce has notified account administrators they may have been affected by the malicious Dyre malware, potentially compromising their account usernames and passwords.
Salesforce reported the investigation is still currently underway, but has yet to find evidence that any of its customers have in fact been impacted.
“This is not a vulnerability within Salesforce,” said the company. “It is malware that resides on infected computer systems and is designed to steal user log-in credentials.”
According to the security alert, Dyre malware (also known as Dyreza) was typically known to target major financial institutions in the US and the UK, including Bank of America, Citibank, Natwest and Ulsterbank.
“It has evolved and we have seen multiple malware campaigns running,” said security researcher Jan Kaastrup from CSIS. “It’s still being distributed using email techniques but the back-end infrastructure has expanded.”
In the latest attack, researchers discovered Dyre had the capability of sending users to a replica Salesforce site, obtain login credentials through keylogging and even surpass two-factor authentication.
In response, Salesforce urges its users to work with IT to scan for detection of the malware.
“Salesforce.com is dedicated to helping our customers strengthen security in their own environments,” said the company.
Users are recommended to leverage the following security capabilities of the Salesforce Platform:
- Activate IP Range Restrictions to allow access to salesforce.com only from a corporate network or VPN
- Use SMS Identity Confirmation for increased login protection when credentials are used from an unrecognized source
- Implement Salesforce# for two-step verification (available on the iTunes App Store or Google Play)
- Leverage SAML authentication capabilities to require all authentication attempts are sources from the appropriate network
Read More Here…